Subnets
- Use case
- Group similiar instance roles in the same network segment
- Allow to split flat network into multiple segments
- Used for routing purposes
- Can only have 1 route table assigned
- Each subnet has an implicit router at .1
- Reserved 5 IP addresses in each VPC subnet (overhead)
- 10.0.0.0 (network address)
- 10.0.0.1 (reserved for VPC router)
- 10.0.0.2 (reserved for mapping Amazon-provided DNS)
- 10.0.0.3 (reserved for future use)
- 10.0.0.255 - network broadcast address. Not supported so it is reserved.
- Each subnet exists in 1 AZ (cannot span 2 AZs)
- Can be used to restrict access (e.g. 4 IT members, each can operate in one subnet only)
- Must be associated with NACL (if not explicitely, default NACL is used)
Private Subnet
- Instances have no direct Internet connection
- No route to IGW
- Must use NAT
- Typically used for backend servers (e.g. databases)
Public Subnet
- Instance has direct Internet access
- Must have route to IGW
- Must have public IP address
NACL
- Stateless firewall (must manually configure rules for return traffic)
- Ephemeral ports - important for response (client initiates traffic)
- Linux: 32768-61000
- ELB: 1024-65535
- Windows2k8: 49152-65535
- Ephemeral ports - important for response (client initiates traffic)
- Applies to traffic in/out from subnet
- Instances in the same subnet talk to each other without "consulting" NACL
- Traffic between load balancer and EC2 instance in the same subnet DOES have NACL evaluated
- Security Group differences
- SG are stateful
- SG apply immediately on the instance (asserted by hypervisor)
- SG may reference other SG
- Two instances in the same SG cannot talk to each other without explicit ALLOW rule
VPC Subnet Scenarios
- Scenario 1: VPC with single public subnet
- VPC of size /16 (65,536 hosts)
- Subnet of size /24 (256 hosts) there may be 256 such subnets
- IGW connects to the Internet (this is definition of a public VPC subnet)
- Route Table
- 10.0.0.0/16 local
- 0.0.0.0/0 IGW
- NACL: include return traffic (ephemeral)
- Instance to have Internet access (one of)
- EIP
- Public DNS
- ELB
- Scenario 2: VPC with public and private subnets
- Public
- 10.0.0.0/24
- Web servers
- NAT instance allows access to the internet for private subnet (e.g. for software updates)
- Alternative: managed NAT Gateway
- Bastion can be used (SSH port forwarder) to manage private instances
- Private
- 10.0.1.0/24
- Backend servers and database
- No Elastic IPs (nor any other public IPs) so they can't receive Internet traffic
- NACL: allow 10.0.0.0
- Public
- Scenario 3: VPC with public and private subnets and VPN connection
- Public - same as Scenario 2
- Private - VPN subnet only
- All internet traffic goes via VGW
- Alternatively NAT can be setup as in Scenario 2
- All internet traffic goes via VGW
- Scenario 4: VPC with a private subnet only and VPN connection
- Private - same as Scenario 3 without NAT
- No exposure to the internet
No comments:
Post a Comment